Internet Explorer hit by zero-day misery

 

Gallery

By Stuart Turton

Posted on 24 Nov 2009 at 08:29

Microsoft has confirmed that a vulnerability in older versions of Internet Explorer could be used to hijack computers.

The exploit code turned up on the Bugtraq security mailing list on Friday, and was picked apart by Symantec over the weekend.

"The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information," the company says on its blog.

We expect that a fully-functional reliable exploit will be available in the near future

"The exploit currently exhibits signs of poor reliability, but we expect that a fully-functional reliable exploit will be available in the near future. When this happens, attackers will have the ability to insert the exploit into websites, infecting potential visitors.

"The attack requires JavaScript to exploit Internet Explorer," the blog concludes.

The software giant has now acknowledged that the vulnerability exists, but has stressed that it has yet to see attacks in the wild. The company also claimed that Internet Explorer 8 is unaffected.

This will be small comfort, given that IE6 and IE7 hold 41% of the global browser market, according to Net Applications. Internet Explorer 8 trails with an 18.1% share.

The company has urged IE6 and 7 users to keep their antivirus software up to date and disable JavaScript until it can issues a patch. Microsoft would not be drawn on whether it would consider issuing an out-of-cycle patch to address the issue.

"Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves," the company says.

Microsoft's next planned update should arrive on 8 December.